Solved: eval and coalesce return unicode list. How to sepa...

zhatsispgx · ‎09-30-2016

So when I run the following search, 'event_name' returns a list of all event_name values which match the coalesce(src_ip,host_ip). The output looks to be a python unicode list. i.e. : [u'itemnumber1',u'itemnumber2','itemnumber3'] etc.

sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None | 
eval src_ip = coalesce(src_ip,host_ip) | 
table msg, src_ip, dst_ip, dst_port, event_name, risk

How would i make this so each 'itemnumber(n)' would return a new row, or pretty formatting so that its more readable?

sundareshr · ‎09-30-2016

Try this

 sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None |  eval src_ip = coalesce(src_ip,host_ip) | makemv event_name delim="," | mvexpand event_name | table msg, src_ip, dst_ip, dst_port, event_name, risk

View solution in original post

sundareshr · ‎09-30-2016

Try this

 sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None |  eval src_ip = coalesce(src_ip,host_ip) | makemv event_name delim="," | mvexpand event_name | table msg, src_ip, dst_ip, dst_port, event_name, risk

eval and coalesce return unicode list. How to separate each item into a new row?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

eval and coalesce return unicode list. How to separate each item into a new row?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!